os/hosts/nougat-2/concourse.nix

{
  config,
  lib,
  pkgs,
  self,
  ...
}: let
  pubsolarDomain = import ./pubsolar-domain.nix;

  getSecret = name:
    lib.attrsets.setAttrByPath [name] {
      file = "${self}/secrets/${name}.age";
      mode = "600";
      owner = "concourse";
    };

  keys = [
    "concourse-session-signing-key"
    "concourse-worker-key"
    "concourse-tsa-host-key"
  ];

  secrets =
    [
      "concourse-secrets"
      "concourse-db-secrets"
    ]
    ++ keys;
in {
  age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets;

  users.users.concourse = {
    description = "Concourse Service";
    home = "/var/lib/concourse";
    useDefaultShell = true;
    uid = 10001;
    group = "concourse";
    isSystemUser = true;
  };

  users.groups.concourse = {};

  systemd.tmpfiles.rules = [
    "d '/var/lib/concourse' 0750 concourse concourse - -"
  ];

  virtualisation.oci-containers = {
    containers."concourse-db" = {
      image = "postgres:14";
      autoStart = true;
      user = "994";
      volumes = [
        "/data/concourse/db:/var/lib/postgresql/data"
      ];
      extraOptions = [
        "--network=concourse-net"
      ];
      environmentFiles = [
        config.age.secrets.concourse-db-secrets.path
      ];
    };

    containers."concourse" = {
      image = "concourse/concourse:7.9.1";
      autoStart = true;
      user = "10001";
      ports = [
        "8080:8080"
      ];
      dependsOn = ["concourse-db"];
      extraOptions = [
        "--network=concourse-net"
      ];
      volumes = [
        "${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key"
        "${config.age.secrets.concourse-worker-key.path}:/keys/worker_key"
        "${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key"
      ];

      environment = {
        CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}";

        CONCOURSE_ADD_LOCAL_USER = "crew:changeme";
        CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew";

        # instead of relying on the default "detect"
        CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay";
        CONCOURSE_X_FRAME_OPTIONS = "allow";
        CONCOURSE_CONTENT_SECURITY_POLICY = "*";
        CONCOURSE_CLUSTER_NAME = "pub.solar";
        CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8";

        CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key";
        CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key";
        CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key";

        # For ARM-based machine, change the Concourse runtime to "houdini"
        CONCOURSE_WORKER_RUNTIME = "containerd";
      };
      environmentFiles = [
        config.age.secrets.concourse-secrets.path
      ];
    };
  };
}
nougat-2 concourse setup 2023-07-02 10:48:34 +00:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`self,`
			`...`
			`}: let`
			`pubsolarDomain = import ./pubsolar-domain.nix;`

			`getSecret = name:`
			`lib.attrsets.setAttrByPath [name] {`
			`file = "${self}/secrets/${name}.age";`
			`mode = "600";`
			`owner = "concourse";`
			`};`

			`keys = [`
			`"concourse-session-signing-key"`
			`"concourse-worker-key"`
			`"concourse-tsa-host-key"`
			`];`

			`secrets =`
			`[`
			`"concourse-secrets"`
			`"concourse-db-secrets"`
			`]`
			`++ keys;`
			`in {`
			`age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets;`

			`users.users.concourse = {`
			`description = "Concourse Service";`
			`home = "/var/lib/concourse";`
			`useDefaultShell = true;`
			`uid = 10001;`
			`group = "concourse";`
			`isSystemUser = true;`
			`};`

			`users.groups.concourse = {};`

			`systemd.tmpfiles.rules = [`
			`"d '/var/lib/concourse' 0750 concourse concourse - -"`
			`];`

			`virtualisation.oci-containers = {`
			`containers."concourse-db" = {`
			`image = "postgres:14";`
			`autoStart = true;`
			`user = "994";`
			`volumes = [`
			`"/data/concourse/db:/var/lib/postgresql/data"`
			`];`
			`extraOptions = [`
			`"--network=concourse-net"`
			`];`
			`environmentFiles = [`
			`config.age.secrets.concourse-db-secrets.path`
			`];`
			`};`

			`containers."concourse" = {`
			`image = "concourse/concourse:7.9.1";`
			`autoStart = true;`
			`user = "10001";`
			`ports = [`
			`"8080:8080"`
			`];`
			`dependsOn = ["concourse-db"];`
			`extraOptions = [`
			`"--network=concourse-net"`
			`];`
			`volumes = [`
			`"${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key"`
			`"${config.age.secrets.concourse-worker-key.path}:/keys/worker_key"`
			`"${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key"`
			`];`

			`environment = {`
			`CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}";`

			`CONCOURSE_ADD_LOCAL_USER = "crew:changeme";`
			`CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew";`

			`# instead of relying on the default "detect"`
			`CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay";`
			`CONCOURSE_X_FRAME_OPTIONS = "allow";`
			`CONCOURSE_CONTENT_SECURITY_POLICY = "*";`
			`CONCOURSE_CLUSTER_NAME = "pub.solar";`
			`CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8";`

			`CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key";`
			`CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key";`
			`CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key";`

			`# For ARM-based machine, change the Concourse runtime to "houdini"`
			`CONCOURSE_WORKER_RUNTIME = "containerd";`
			`};`
			`environmentFiles = [`
			`config.age.secrets.concourse-secrets.path`
			`];`
			`};`
			`};`
			`}`